Web Security Holes: A Tasty Treat for Hackers

Vulnerability watcher Secunia recently posted an advisory about a "moderately critical" flaw in an obscure Web-based software application called Fast Menu Restaurant Ordering, which -- as you might expect -- is used by some dining establishments to allow customers to place orders via the Internet.

The image of hungry hackers taking a bite out of this flaw to order up free late-nite munchies from the local mom-and-pop carry-out is amusing enough, but Secunia says the flaw exists because the application doesn't properly "sanitize" input. Ewww. Don't think I want to be eating at one of those restaurants.

Seriously, though ... I mention this advisory to point out just how many of these types of Web-app security flaws are discovered and reported each week. Once a week, the SANS Institute publishes "@RISK," a newsletter that lists all of the software flaws uncovered in the previous week, and the sheer number of such problems is staggering.

Most of the flaws are exactly the type of vulnerabilities the bad guys are attacking these days. Sure, some are in relatively random apps like the restaurant plug-in, but they still deserve serious attention as they represent another way in and around an organization's or individual's perimeter security defenses.

In the first week of June, SANS tracked some 78 different new flaws in Web-facing applications, many of which are third-party, commercial scripts, plug-ins or program modules for various open-source Web applications like PHP, MySQL, Wiki tools and various blog-software utilities.

One of the big problems here -- if you operate a Web site that uses multiple scripts, plug-ins and so on from a mix of open-source and private software developers -- is staying on top of security updates for those titles. People running Linux can use various package installers to search for updates, but for most of those applications, users' only real way to keep up is to sign up for an update-alert mailing list.

Almost a decade ago, Microsoft and a company called Marimba proposed a new data standard called the Open Software Description (OSD) format to the World Wide Web Consortium. The idea behind this grand plan was to have software developers encode basic information about their creations in the programs themselves using a cross-platform language like Extensible Markup Language (XML). The thinking was that if enough developers adopted this format, it would help create a common standard for updating software, and make it far easier for developers to automagically "push" updates out to their user base.

At least one notable critic called it a plan to put software retail stores out of business. Needless to say, others were similarly cynical, suspicious or just plain unimpressed, as the proposal did not appear to go anywhere. But to me at least, it doesn't seem to have been such a horrible idea (maybe not in the hands of Redmond but rather in the hands of the open-source software community). Perhaps there are already a bunch of open-source projects starting to come together to foster a larger ecosystem on security updates, but I'm unaware of such a movement. Your thoughts?

Brian, thanks for the interesting history on the OSD format. I've often wondered why Microsoft didn't start including a standard update API with windows a long time ago. I supposed it had something to do with most vendors in the Windows world wanting to charge users for each new version. After all, it's only relatively recently that users have come to expect free and timely security updates.

I've used a number of Linux package management systems and my two favorites are Gentoo's Portage and Ubuntu's Synaptic. If one can combine Portage's comprehensiveness with Synpatic's ease of use we'd have something close to perfect. Of course that still wouldn't help the Windows world and all the vendors with their conflicting motives and interests.

I figured yours was the blog to post in. Is washingtonpost.com under some kind of attack? I can't get to the main page (it says not found) and then when I can do it and click on a link, the site crashes again and goes back to not found status.

Ajax is certainly vulnerable to web application layer attacks, although the techniques themselves may not be new. Due to the sheer volume of requests in an Ajax site, however, their attack surface area is greatly increased.

ALso, just wanted to point out that this article apperas to be talking fairly specifically about canned web apps. That's ok, but really doesn't address the problem well; canned web apps are easily managed in the existing security paradigm; it's the in-house developed software /web apps that are a major issue.